A little more than a year ago, details emerged about an effort by some members of the hacktivist group Anonymous to build a new weapon to replace their aging denial-of-service arsenal. The new weapon would use the Internet's Domain Name Service as a force-multiplier to bring the servers of those who offended the group to their metaphorical knees. Around the same time, an alleged plan for an Anonymous operation, "Operation Global Blackout" (later dismissed by some security experts and Anonymous members as a "massive troll"), sought to use the DNS service against the very core of the Internet itself in protest against the Stop Online Piracy Act.

This week, an attack using the technique proposed for use in that attack tool and operation—both of which failed to materialize—was at the heart of an ongoing denial-of-service assault on Spamhaus, the anti-spam clearing house organization. And while it hasn't brought the Internet itself down, it has caused major slowdowns in the Internet's core networks.

DNS Amplification (or DNS Reflection) remains possible after years of security expert warnings. Its power is a testament to how hard it is to get organizations to make simple changes that would prevent even recognized threats. Some network providers have made tweaks that prevent botnets or "volunteer" systems within their networks to stage such attacks. But thanks to public cloud services, "bulletproof" hosting services, and other services that allow attackers to spawn and then reap hundreds of attacking systems, DNS amplification attacks can still be launched at the whim of a deep-pocketed attacker—like, for example, the cyber-criminals running the spam networks that Spamhaus tries to shut down.

Enlarge / An overview of a browser-based exploit that abuses cloud services.

Vasant Tendulkar et al.

Scientists have devised a browser-based exploit that allows them to carry out large-scale computations on cloud-based services for free, a hack they warn could be used to wage powerful online attacks cheaply and anonymously.

The method, described in a research paper scheduled to be presented at next month's Computer Security Applications Conference, uses the Puffin mobile browser to push computationally intensive jobs onto a cloud-based service that was never intended for such purposes. Normally, Puffin and other so-called cloud-based browsers are used only to accelerate the loading of Web pages on mobile devices by rendering JavaScript, images, and text from disparate sources on a server and only then delivering it to the smartphone or tablet. That's more efficient than relying on mobile devices with limited computing power to render such content themselves.

Now, computer scientists at North Carolina State University and the University of Oregon have demonstrated a way to abuse such services. By creating a customized browser that mimics Puffin, they were able to trick the cloud-based servers it relies on to count words, search for text strings, and carry out other tasks the service was never designed for—free and semi-anonymously. Out of ethical considerations, they limited both the scope and workload imposed on the cloud resources, but they warned less-scrupulous attackers could use similar techniques to perform powerful denial-of-service attacks and password cracks.

Piercing a key defense found in cloud environments such as Amazon's EC2 service, scientists have devised a virtual machine that can extract private cryptographic keys stored on a separate virtual machine when it resides on the same piece of hardware.

The technique, unveiled in a research paper published by computer scientists from the University of North Carolina, the University of Wisconsin, and RSA Laboratories, took several hours to recover the private key for a 4096-bit ElGamal-generated public key using the libgcrypt v.1.5.0 cryptographic library. The attack relied on "side-channel analysis," in which attackers crack a private key by studying the electromagnetic emanations, data caches, or other manifestations of the targeted cryptographic system.

One of the chief selling points of virtual machines is their ability to run a variety of tasks on a single computer rather than relying on a separate machine to run each one. Adding to the allure, engineers have long praised the ability of virtual machines to isolate separate tasks, so one can't eavesdrop or tamper with the other. Relying on fine-grained access control mechanisms that allow each task to run in its own secure environment, virtual machines have long been considered a safer alternative for cloud services that cater to the rigorous security requirements of multiple customers.

Ars recently attempted to delve into the inner workings of the security built into Apple's iCloud service. Though we came away reasonably certain that iCloud uses industry best practices that Apple claims it uses to protect data and privacy, we warned that your information isn't entirely protected from prying eyes. At the heart of the issue is the fact that Apple can, at any time, review the data synced with iCloud, and under certain circumstances might share that information with legal authorities.

We consulted several sources to understand the implications of iCloud's security and encryption model, and to understand what types of best practices could maximize the security and privacy of user data stored in increasingly popular cloud services like iCloud. In short, Apple is taking measures to prevent access to user data from unauthorized third parties or hackers. However, iCloud isn't recommended for the more stringent security requirements of enterprise users, or those paranoid about their data being accessed by authorities.

OnLive doesn't do enough to convince us that cloud gaming is ready to be the next big thing, but the fact that it works as well as it does is undoubtedly a major technological achievement. The company has set the standard for "first gen" performance in this field, and it's now down to others to enter the market and compete. And that's exactly what upstart rival Gaikai has done - with intriguing results.

Although based on similar principles, the implementation is very different. OnLive launched with a full games service, while Gaikai specialises in offering playable demos with plans to expand beyond that when the time is right. OnLive uses widely spaced datacentres to address a large area, whereas Gaikai offers more servers closer to players. The technology behind the video compression is also very different, with OnLive using hardware encoders while Gaikai uses the x264 software running on powerful Intel CPUs.

Gaikai reckons its approach results in more responsive gameplay, better base visuals and superior video compression. So how can this be tested?

Voice-activated assistants are playing an increasingly prominent role in the technology world, with Apple's introduction of Siri for the iPhone 4S and Google's (rumored) work on a Siri competitor for Android phones.

Voice-activated technology isn't new—it's just getting better because of increasingly powerful processors and cloud services, advancements in natural language processing, and improved algorithms for recognizing voice. We spoke with Nuance Communications, maker of Dragon software and one of the biggest names in voice recognition technologies, about why voice is becoming more popular and what advancements we can expect in the future.

snydeq writes "Deep End's Paul Venezia sees few business IT situations that could make good use of full cloud storage services, outside of startups. 'As IT continues in a zigzag path of figuring out what to do with this "cloud" stuff, it seems that some companies are getting ahead of themselves. In particular, the concept of outsourcing storage to a cloud provider puzzles me. I can see some benefits in other cloud services (though I still find the trust aspect difficult to reconcile), but full-on cloud storage offerings don't make sense outside of some rare circumstances.'"

MrSeb writes "Megaupload's shutdown poses an interesting question: What happens to all the files that were stored on the servers? XDA-Developers, for example, has more than 200,000 links to Megaupload — and this morning, they're all broken, with very little hope of them returning. What happens if a similar service, like Dropbox, gets shut down — either through bankruptcy, or federal take-down? Will you be given a chance to download your files, or helped to migrate them to another similar service? What about data stored on enterprise services like Azure or AWS — are they more safe?"
And if you're interested, the full indictment against Megaupload is now available.

Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."